The better the question
How many cyber-attack avenues lead directly to your customers’ homes?
The rollout of smart electricity meters promises more insight than ever before. But how should the risks be addressed to maintain consumer trust?
In 2009, an EU directive came into force, mandating utilities providers to replace existing residential electricity meters with new smart meters by 2020. This presented a big challenge for utilities due to the nature and complexity of new smart metering systems and supporting infrastructure.
One such organization is a client of EY, a state-owned utilities company in Europe. The sheer scale of the challenge was enormous: the client needed to deploy over 2 million smart meters and supporting data and communications systems using a range of service providers, making it one of the largest and most complex digital transformation programs the country had ever undertaken.
Smart meters promise all kinds of benefits for the electricity company, the customer and the environment – new data can enable new business models and greater awareness of consumption. But smart meters also generate vast amounts of personally identifiable data, which can potentially be used in fraudulent ways to target the customer.
The electricity company had to ask itself how would it design and build robust governance and cybersecurity frameworks to protect its customers’ data getting into the hands of the wrong people, especially as this is subject to GDPR regulation? And now that large parts of the country’s energy value chain would be digitalized, the company also had to consider, how would it also protect the electricity grid from cyber-attacks, and maintain a continuous supply of electricity to the critical infrastructure?
The better the answer
Assuring the full scope of risk
Cyber threat modeling helped the client understand the true nature of risk – and where it could come from.
EY teams are acting as trusted advisors in the design of the smart metering solution and the delivery of several large procurements including communication and data services, security tools, and smart meters.
As this was critical national infrastructure, stability and security was paramount. Yet smart meters introduce two significant and very specific new cyber risks: the highly granular data about people’s energy usage that potentially opened a window into individual people’s lives; and on the meters themselves, a switch that could, if hacked, cut off the electricity supply to millions of homes.
The first task that EY teams got to work on, was cyber threat modeling that explored potential avenues of attack that could compromise both the personal data and the meter switch – from sophisticated threat actors exploiting the communications network to initiate mass commands, to lone hackers attempting to access individual meters over local wireless networks.
This exercise meant that EY teams and the client could understand the cyber risks, but not overestimate them, and design and embed the appropriate level of protection across the smart metering system.
With trust becoming one of the most valuable assets for an organization, cybersecurity has a critical role to play. Without a clear strategy on how to address the cyber risk, it is impossible to unlock the huge possibilities offered by this new digital world.
The next step was to define the security architecture – what to protect against – which ranged from security monitoring systems to detect suspicious activity across the entire network, to the security of individual meters. One of the key activities was to specify technical controls that the smart meters would need to have embedded in them, to authorize commands and protect data.
The supplier had to demonstrate:
- Adequate encryption for the meter as well as the communications system and database
- How much data is stored on the meter before it is sent back to the utility company
- How the meter physically protects data
However, technology is only one part of the story. “The human element is very important in cybersecurity because it can be the weakest link,” says Alex Campbell, Associate Partner, Cybersecurity Services at Ernst & Young LLP. The security architecture had to be backed up with new processes, policies, vetting and staff training and awareness.
This is because, regardless of how intrinsically secure the new systems are, humans will be using them. Those users could include malicious insiders with sufficient privileges to access sensitive data, and more often accidental non-malicious insiders who are not aware of their responsibilities.
The better the world works
Securing a data-centric future
A new data model for a new power & utilities paradigm.
Smart meters usher in the digitalization of power distribution networks, which open up entirely new abilities and possibilities.
For the electricity company, all the aggregated data could be combined with generation data to better manage the anticipated load, by modelling how different parts of the country are using electricity and predicting where to transmit it. Smart meters also enable huge savings in human hours, as engineers will no longer need to visit a home every time troubleshooting and disconnections or reconnections of supply are needed– as many functions can be done virtually.
For consumers, smart meters provide much greater and more immediate information on their energy use, and faster, more accurate billing too. Greater insight enables greater control, so it is expected that many consumers will reduce their energy consumption – and their bills.
In the future, there will be many other parties that energy companies could share consumption data with, so they can offer different tariffs, better advice on how to use energy, or explore other opportunities and business models that are still to be created.
None of this would be possible without a high-level of cybersecurity, designed to build in the appropriate cyber risk management and mitigation from the outset, so that the organization could operate with confidence.
For this electricity company, EY teams were able to offer something truly different: an awareness of the specific unique challenges that smart meters introduce. This rollout touches every single citizen of a country in a way other systems do not, and there is a bond of trust that must not be broken.
EY consultants understand the complications of that, and particularly the implications beyond technology. By anticipating all potential cyber-attack routes, and the human risks and ramifications, EY teams helped the electricity company look at the wider risks that could impact the benefits of smart meters. The company is now in the process of implementing new people policies, security processes and technical controls to make certain that smart meters not only protect, but power a data-centric future that consumers and organizations alike can trust.
EY Cybersecurity enables trust in systems, design and data, so organizations can take more risk, make transformational change and enable innovation with confidence.